Best Practices: Whitelisting Citrix and Webex from the SSL Scanner

Version 4

     

    Introduction

     

    This article describes McAfee Maintained Subscribed Lists and how to use them to allow Citrix and Webex through the SSL Scanner on the McAfee Web Gateway . This is done through bypassing the IP address ranges used by Webex and Citrix for their SSL connections. This guide will focus on adding a McAfee Maintained Subscribed List to bypass these applications from the SSL Scanner.

     

    Although this topic will cover Citrix and Webex, there are many other Mcafee Maintained Subscribed Lists that can be useful for your policy. Examples include;

     

    • Known Certificate Authorities (Find more info here)
    • Windows Update Servers
    • Office 365 (Exchange, Lync, ProPlus, SharePoint, Federation and Yammer)
    • Amazon Cloud Services
    • Antimalware Update Servers (AVG, Symantec, ESET, Trendmicro, etc…)
    • Linux distribution specific update servers

     

    The list creation instructions covered below will also apply to these lists above.

     

    Why do we need to bypass this traffic from the SSL Scanner?

     

    The MWG is an HTTP proxy and inspects HTTP/HTTPS based traffic. Some applications will encrypt their proprietary protocol traffic with SSL. When the SSL Scanner is enabled, the MWG opens up the SSL tunnel to look at the traffic inside. Instead of finding normal HTTP traffic, it finds non-HTTP traffic, which causes the MWG to reset the connection. To prevent this from happening, we will want to bypass this traffic from the SSL Scanner using McAfee Maintained Subscribed Lists.

     

    What is a McAfee Maintained Subscribed List?

     

    This is a list which is maintained off box from the Web Gateway by McAfee. This feature is meant to reduce administrative overhead for ever-changing web applications. McAfee maintains these lists for you and your MWG appliance can update them automatically on a specified schedule.

     

    The maintained lists in this example will include a variety of IP addresses for a specific application that you can use in your ruleset as criteria for bypassing from the SSL Scanner. This is a benefit for administrators so they do not need to monitor and maintain changes to the WebEx or Citrix IP ranges used for their products.

     

    Another example is the "Trusted Certificate Authorities" maintained list. As new Authorities become certified and trusted, the MWG automatically adapts and administrators do not need manually add anything.

     

    How do I add a McAfee Maintained Subscribed List?

     

    Note: This example shows how to add a list for WebEx, you can substitute this list for the application of your choice.

     

    Follow along with the screenshots below the instructions.

      1. Select Policy
      2. Select “Lists” From the tabs on the left.
      3. Select the green add button (see screenshot)
      4. Enter in a name for the list, in my testing I used “WebEx Subscribed List”. You can substitute it for whatever list name you want to give.
      5. Select “List content is managed remotely”
      6. Select radio button for McAfee Maintained List
      7. Select choose and select your respective list you want to add. In this example I am doing the WebEx IP Ranges. (see screenshot)
      8. Click OK on all the dialog boxes then save changes.
      9. You can verify the list is updated from Policy>Lists>Subscribed Lists>IPRange>WebEx Subscribed List (McAfee maintained). This will contain a list of IP ranges. (see screenshot)

     

     

    1.png

    list.png

     

    Note: If the list is not populated, see the troubleshooting section further below.

     

    How can I use this list in my policy?

     

    We will use the list as criteria to bypass from the SSL Scanner.

     

    Follow along with the screenshot

      1. Go to your SSL Scanner ruleset: SSL Scanner> Handle Connect Call
      2. Add Rule
      3. Name: SSL Bypass (Can be whatever you want though)
      4. Rule Criteria: URL.Destination.IP Is in range list WebEx Subscribed List
      5. Action: Stop Rule Set
      6. Save Changes.

    summary2.png

     

    Test out the application to verify the rule is working correctly.

     

    Note: This ruleset specifically bypasses these IP ranges from the SSL Scanner ONLY. If you have any other rules below your SSL Scanner which may block these ranges. You should change the rule to a Stop Cycle Action.

     

    Troubleshooting

    What if the application still doesn’t work after creating the bypass?

     

    You will want to take a network capture while reproducing the issue. Send this capture in to support along with a feedback. Include the client IP that you tested with when reproducing the issue. Instructions for the capture can be found at:

    https://kc.mcafee.com/corporate/index?page=content&id=KB75056

     

    Feedback can be generated from Troubleshooting>Feedback>Create Feedback File.

     

    What if I need to add to a subscribed list?

     

    You can contact Technical Support to suggest additions to a Subscribed List.

     

    What if my maintained list does not update?

     

    This list is handled by the same update process as your URL filter and AV DAT updates. As such, the maintained lists will use update proxy settings if there are any defined. Its best to start troubleshooting by examining the update.log file. The update.log file is located under Troubleshooting > Logfiles > update. Look for any error message related to updating the maintained list.

    If you cannot determine the source of the issue from the update logs, generate a feedback and take a packet capture while reproducing the issue. Lastly, contact technical support with this data.

     

    Note: You’ll want to filter the capture for port 443 to minimize the size of the capture. (Troubleshooting > Packet Tracing) You can use these command line parameters to capture this content:

    -s 0 –i any port 443